corporate governance of ict charter - bitou.gov.za

Policy Title: Corporate Governance of ICT Charter

Status: Draft policy workshopped on the 22nd March 2018. Submitted to Council for approval and

adoption per Item C/2/96/06/18 on the 29 June 2018.

FY 2018/2019

of 13

Corporate Governance of ICT Charter

Document ID ICT01 (Version 1, dated 29 April 2018)

Last Approval (N/A)

June 2018

FY 2018/2019




FY 2018/2019

of 13

TABLE OF CONTENTS

TABLE OF CONTENTS ........................................................................................................... 2

GLOSSARY ............................................................................................................................................................ 3

1. Purpose of Charter ............................................................................................................ 4

2. Introduction ........................................................................................................................ 4

3. Legislation ......................................................................................................................... 6

3.1. External Inputs ........................................................................................................................................ 6

3.2. Legislation ............................................................................................................................................... 6

4. Scope ................................................................................................................................ 6

5. Key Elements .................................................................................................................... 6

5.1. King Principles ......................................................................................................................................... 6

5.2. COBIT Key Elements ................................................................................................................................ 7

6. Objectives of Charter ......................................................................................................... 7

7. Structures, Functions, Roles and Responsibilities ............................................................. 8

7.1. Structures ................................................................................................................................................ 8

7.1.1. High Level Structure ............................................................................................................................ 8

7.1.2. Other Structures .................................................................................................................................. 9

7.1.3. The Municipal Council ......................................................................................................................... 9

7.1.4. The Municipal Manager .................................................................................................................... 10

7.1.5. Municipal ICT Steering Committee ................................................................................................... 10

7.1.6. Municipal Risk Committee ................................................................................................................ 10

7.1.7. ICT Audit Committee ......................................................................................................................... 11

7.1.8. Management ..................................................................................................................................... 11

7.1.9. Established Policies and Plans ........................................................................................................... 11

7.2. Functions, Roles and Responsibilities ................................................................................................... 12

7.3. Members ............................................................................................................................................... 12

8. Framework Policies and Guidelines ................................................................................ 12

9. Evaluation and Review .................................................................................................... 13




FY 2018/2019

of 13

GLOSSARY

AG Auditor-General of South Africa

CIO Chief Information Officer

CGICTPF Corporate Governance of ICT Policy Framework

DPSA Department of Public Service and Administration

DCOG Department of Cooperative Governance

ICT Information and Communications Technology

ISO/IEC International Organisation for Standardisation (ISO) and the

International Electro technical Commission (IEC)

ISO/IEC 38500 International Standard on Corporate Governance of ICT

(ISO/IEC WD 38500: 2008: 1)

ITGI™ ICT Governance Institute

King III The King III Report and Code on Governance for South Africa

MICTGP Municipal ICT Governance Policy

M&E Monitoring and Evaluation

PSCGICTPF Public Service Corporate ICT Governance Policy Framework

SALGA South African Local Government Association

SDBIP Service Delivery and Budget Implementation Plan




FY 2018/2019

of 13

CORPORATE GOVERNANCE OF ICT CHARTER

1. Purpose of Charter

The purpose of this Charter document is twofold; firstly, it will guide the creation and

maintenance of effective enabling governance structures, processes and practices as dictated

by the Municipal Corporate Governance of ICT Policy.

Secondly, the Charter also clarifies the governance of ICT-related roles and responsibilities

towards achieving the municipality’s strategic goals. In order to achieve this, various best

practices, standards and legislation are used.

2. Introduction

The Charter depicts how the Municipal Corporate Governance of ICT Policy will be

implemented and describes the related structures, processes, functions, accountability, roles

and responsibilities, delegations and reporting responsibilities. This Charter has been

customised to accommodate Bitou Municipality’s unique operating environment, whilst

ensuring the principles of the Municipal Corporate Governance of ICT Policy are maintained.

In order to understand the Charter and its supported elements, Figure 1 will be used for

reference.




FY 2018/2019

of 13

Figure 1: Supporting Elements of Charter

From Figure 1 it is clear that two main levels exist. Firstly the Legislative Level comprises the

Municipal Corporate Governance of ICT Policy, referred to as “a” in Figure A. This is a

legislative document from the Department of Cooperative Governance and Traditional Affairs

containing requirements that local government must adhere to.

Secondly, Figure b shows the Local Government Level. This level comprises of multiple

elements, which is further divided into sub-levels.

The first sub-level is the Executive sub-level, which contains the Charter, referred to as “B” in

Figure 1. This Charter receives various inputs from “A” but also flows into the next sub-level

The second sub-level is the Tactical sub-level which receives input from “A” and contains

Corporate Governance of ICT Policy. This element will provide guidance and input for the third

element, the ICT Strategy Plan, referred to as “D” in Figure 1.

The third sub-level contains the implementation of the combined elements and is called the

Operational sub-level. Within this sub-level, the Implementation of Plan, referred to as “D” in

Figure 1, is housed and receives input from both “C” an “B” in the Tactical sub-level.

All these elements together address the Corporate Governance of ICT in Bitou Municipality.

Municipality Corporate Governance of ICT Policy (MCGICTP)

Corporate governance of ICT for Bitou Municipality

ICT Plan

Charter

ICT Implementation plan

Implementation of plan

B Executive Sub Level

C

Tactical Level

D Operational Level

Lo

ca

l Go

ve

rnm

en

t Le

ve

l L

eg

isla

tive le

vel

A




FY 2018/2019

of 13

3. Legislation

As dictated by the Municipal Corporate Governance of ICT Policy (Figure 1: A), multiple best

practices and standards and legislation were used in order to draft this Charter.

3.1. External Inputs

1. ISO/IEC 38500 standard

2. King Code

3. COBIT processes

3.2. Legislation

1. Municipal Systems Act 2000 (Act 32 of 2000)

2. Municipal Finance Management Act 2003 (Act 56 of 2003)

These best practices, standards and legislation form the basis of the structures needed in order

to implement the Corporate Governance of ICT.

4. Scope

This Charter for Corporate Governance of ICT (Figure 1: B) is applicable to Bitou Municipality

collectively, as stated in the approved Municipal Corporate Governance of ICT Policy (Figure

1: A). The Executive Authority, Accounting Officer and Executive Management are important

driving factors in this regard. This Charter is the mandate on how the Governance of ICT will

be established in BITOU Municipality.

5. Key Elements

5.1. King Principles

1. The Municipal Council of local government should be responsible for Information

Communication Technology (ICT) Governance.

The King Code recommends that strategic management (the Municipal Council in this case)

should establish an ICT Charter (Figure 1: B). Furthermore, this ICT Charter should outline the

decision-making rights and accountability framework for the Governance of ICT that would

enable the desirable culture in the use of ICT within the municipality.

Supporting the above mentioned King Code, are COBIT key elements.




FY 2018/2019

of 13

5.2. COBIT Key Elements

1. Strategic alignment focuses on ensuring the linkage of business and ICT plans,

defining, maintaining and validating the ICT value proposition, and aligning ICT

operations with enterprise operations.

1. Value delivery is about executing the value proposition throughout the delivery cycle,

ensuring that ICT delivers the promised benefits against the strategy, concentrating on

optimising costs and proving the intrinsic value of ICT.

2. Resource management is about the optimal investment in, and the proper

management of, critical ICT resources: applications, information, infrastructure and

people. Key issues relate to the optimisation of knowledge and infrastructure.

3. Risk management requires risk awareness by senior organisational officers, a clear

understanding of the enterprise’s appetite for risk, understanding of compliance

requirements, transparency about the significant risks to the enterprise and embedding

of risk management responsibilities into the organisation.

4. Performance measurement tracks and monitors strategy implementation, project

completion, resource usage, process performance and service delivery, using, for

example, balanced scorecards that translate strategy into action to achieve goals

measurable beyond conventional accounting.

Based from these above mentioned key elements, the objectives of this Charter can clearly be

defined below.

6. Objectives of Charter

As dictated by the Municipal Corporate Governance of ICT Policy (Figure 1: A), the objectives

of the Charter (Figure 1: B) are as follows:

A. To identify and establish a Corporate Governance of ICT Policy (Figure 1: A) and

implementation guideline for the municipality;

B. To embed the Corporate Governance of ICT as a subset of the municipal

governance objectives.

C. Create municipal value through ICT enablement by ensuring municipal IDP and

ICT strategic alignment;




FY 2018/2019

of 13

D. Provide relevant ICT resources, organisational structure, capacity and capability

to enable ICT service delivery;

E. Achieve and monitor ICT service delivery performance and conformance to

relevant internal and external policies, frameworks, laws, regulations, standards

and practices;

F. Implement the governance of ICT in the municipality, based on an approved

implementation plan (Figure 1: C).

G. Regarding the above mentioned objectives, certain structures need to be in place

in order to address each objective. These structures need to be in place

7. Structures, Functions, Roles and Responsibilities

The Charter outlines the decision making rights and accountability of ICT governance that will

enable the desirable culture in the use of ICT within the municipality. This is achieved by

requiring ICT management to provide timely information to comply with direction given by

Municipal Council and to conform to the principles of good governance.

7.1. Structures

Specific structures should be established to give effect to the Governance of ICT, and the

management of ICT functions.

7.1.1. High Level Structure

The Corporate Governance of ICT has three tiers, and each tier has a process for decisions

and reporting, as listed in Table 1.

Structure Position Responsibility Process

Executive

Authority Level

Mayor/Council and Municipal Manager

Direct and Monitor the Performance of ICT

Municipal Council Meetings

Tactical

Management

Municipal Manager/HODs/Assigned councilors.

Supervise, check and act to effectively leverage ICT resources

ICT Steering committee/Head of Department Meetings

Process Level Manager: ICT/ICT department

Activities are preformed, controlled and check in alignment with business objectives

Day to day processes

Table 1: Three-Tiered Structure




FY 2018/2019

of 13

Other structures should also be established that could support the three-tiered structure.

Figure 2: Structure – Charter Directive

7.1.2. Other Structures

7.1.3. The Municipal Council

The Municipal Council must provide political leadership and strategic direction through:

Determining policy and providing oversight;

Take an interest in the Corporate Governance of ICT to the extent

necessary to ensure that a properly established and functioning Corporate

Governance of ICT system is in place in the municipality to leverage ICT

as an enabler the municipal IDP;

Assist the Municipal Manager to deal with intergovernmental, political and

other ICT-related Municipal issues beyond their direct control and

influence; and

Ensuring that the municipality’s organisational structure makes provision

for the Corporate Governance of ICT.




FY 2018/2019

of 13

7.1.4. The Municipal Manager

The Municipal Manager must provide strategic leadership and management of ICT

through:

Ensuring alignment of the ICT strategic plan with the municipal IDP;

Ensuring that the Corporate Governance of ICT is placed on the

municipality’s strategic agenda;

Ensuring that the Corporate Governance of ICT Policy Framework, and

related policies for the institutionalisation of the Corporate Governance of

ICT are developed and implemented by management;

Determining the delegation of authority, personal responsibilities and

accountability to the Management with regards to the Corporate

Governance of ICT;

Ensuring the realisation of municipality-wide value through ICT service

delivery and management of Municipal and ICT-related risks;

Ensuring that appropriate ICT capability and capacity are provided and a

suitably qualified and experienced Governance Champion is designated;

Ensuring that appropriate ICT capacity and capability are provided and

that a designated official at a Management level takes accountability for

the Management of ICT in the municipality; and

Ensuring the monitoring and evaluation of the effectiveness of the

Corporate Governance of ICT system e.g. ICT steering committee.

7.1.5. Municipal ICT Steering Committee

The establishment of an appropriate ICT steering Committee will ensure

that the application, management and review of the organizations ICT

strategies and plans are consistent with the goals and objectives of the

organisation and will ensure that the department complies with legislation

The ICT Steering Committee will advise management on all matters

related to ICT

7.1.6. Municipal Risk Committee

The establishment or use of an appropriate Municipal Risk Committee will

accept the responsibility to perform an oversight role for the identification

and mitigation of ICT-related risks




FY 2018/2019

of 13

The Municipal Risk Committee will assist management in carrying out the

Corporate Governance of ICT accountabilities and responsibilities

7.1.7. Audit Committee

The use of the established and appropriate Audit Committee will accept

the responsibility to perform management of ICT audit and governance

compliance

The Audit and Audit Performance Committee will assist management in

carrying out the Corporate Governance of ICT accountabilities and

responsibilities

7.1.8. Management

Management must ensure that:

ICT strategic goals are aligned with the municipality’s strategic goals and

support the municipal processes;

Municipal-related ICT strategic goals are cascaded throughout the

municipality for implementation and are reported on.

Specific policies and plans need to be established to support the mentioned structures.

7.1.9. Established Policies and Plans

Policy Plan Owner Approval

1. Corporate Governance of ICT Policy Municipal Manager Council

2. Corporate Governance of ICT Charter Municipal Manager Council

3. ICT Steering Committee Charter Municipal Manager ICT Steering Committee

Operational Policy Owner Approval

4. ICT Disaster Recovery Policy ICT Council

5. ICT Data Backup and Recovery policy ICT Council

6. ICT Operating Security Control Policy ICT Council

7. ICT Security Control Policy ICT Council

8. ICT User Access Management policy ICT Council

Policy Plan Owner Approval

9. ICT Service Level Agreement and Contract Management

ICT ICT Steering Committee

10. ICT Enterprise Architecture ICT ICT Steering Committee

11. ICT Disaster Recovery Plan ICT ICT Steering Committee

12. ICT Strategy Plan ICT ICT Steering Committee




FY 2018/2019

of 13

13. Risk Management Policy Internal Audit Council

14. Internal Audit Plan Internal Audit Audit Committee

According to the Municipal Corporate Governance of ICT Policy (Figure 1: A), the above

mentioned structures, including established policies and plans, should be established in order

to complete the phases of Corporate Governance of ICT.

7.2. Functions, Roles and Responsibilities

According to the Municipal Corporate Governance of ICT Policy (Figure 1: A), specific

functions, roles and responsibilities should exist, regarding the established structures.

These functions, roles and responsibilities are addressed in this Charter (Figure 1: C).

7.3. Members

Regarding the structures previously mentioned, specific members need to form part of each

structure. The ICT Steering Committee Charter addresses the members of each structure.

All mentioned structures, functions, roles and responsibilities are important to give effect to the

Governance of ICT.

8. Framework Policies and Guidelines

Corporate Governance of ICT is a collection of various documents and policies which guides

council in decision making, monitoring risks and performance. These are required to ensure

that status quo, business direction and management procedures are documented and

available. The following policies and documents are required to ensure the governance of ICT

and is linked to this Charter document:

Policy Requirements

Corporate Governance of ICT Charter

(This Document)

(Figure 1: B)

Accountability of allocated to departments

Business and ICT structures defined

Business and ICT role and responsibilities defined

Business and ICT decision making powers defined

Business and ICT delegations allocated




FY 2018/2019

of 13

Policy Requirements

ICT Plan (ICT strategy/ /ICT Book of

standards)

(Figure 1: c)

Mapping of elements of information plan in ICT plan

Departmental business assurance that ICT understands the

business and its processes

Business service delivery and ICT alignment

Current and future ICT status: skills, structure and policies

Multi-year high level ICT implementation roadmap

ICT Operational Manual Owned and developed by IT but executive management must

ensure it is aligned to business

ICT operational policies

IT assets, resources, capacity and capability optimised

Applications, information and technology use and management

Management of ICT related business risk

Continuous Improvement Roadmap Policies revised at least every 3 years (developed by business

on a strategic level and IT department on an operational level)

ICT Strategic Plan

Roadmap linked to Annual Performance Plans to improve and

functionality of:

CGICT system

Business and ICT service delivery alignment

Business management of ICT

Governance of and management of ICT

Table 4: Framework Policies and Guidelines

9. Evaluation and Review

The review of policies, procedures and charters ensures the adaption to new legislation,

executive decision making platforms that may change and maturing of ICT governance.

Associated Policies must be reviewed or revised.

The policies and charters must be developed or reviewed by management on a strategic level

and IT department on an operational level. This process must be linked on the Improvement

Roadmap and Annual Performance Plans.

The Executive Authority Level and Executive Management give their full support, for

determining the required processes needed for Corporate Governance of ICT as well as the

implementation thereof, as far as possible from an administrative and financial capability.

corporate governance of ict charter - bitou.gov.za

Documents